| Thread overview | |||||||
|---|---|---|---|---|---|---|---|
|
November 28, 2020 How to connect to SQLITE? | ||||
|---|---|---|---|---|
| ||||
 | Is there libs for SQLITE? How to use it? thanks. | |||
Permalink
ReplyNovember 28, 2020 Re: How to connect to SQLITE? | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to Alex NL | On Saturday, 28 November 2020 at 12:01:59 UTC, Alex NL wrote: > Is there libs for SQLITE? > How to use it? thanks. You may use google translate, https://d-land.sepany.de/tutorials/datenbanken/sqlite-erste-schritte/ Here I describe how to use Sqlite using dub package arsd-official. Kind regards Andre | |||
November 28, 2020 Re: How to connect to SQLITE? | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to Alex NL | On Saturday, 28 November 2020 at 12:01:59 UTC, Alex NL wrote: > Is there libs for SQLITE? > How to use it? thanks. https://github.com/aferust/GtkD-examples-for-TreeView-and-ListBox | |||
November 28, 2020 Re: How to connect to SQLITE? | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to Ferhat Kurtulmuş | On Saturday, 28 November 2020 at 13:29:50 UTC, Ferhat Kurtulmuş wrote: > On Saturday, 28 November 2020 at 12:01:59 UTC, Alex NL wrote: >> Is there libs for SQLITE? >> How to use it? thanks. > > https://github.com/aferust/GtkD-examples-for-TreeView-and-ListBox IMNSHO the code in example1.d string sql = format("UPDATE User SET %s = '%s' WHERE id = %s;", field, text, curId); db.query(sql); and that in example2.d string sql = format("UPDATE User SET %s = '%s' WHERE id = %d;", field, value, cid); db.query(sql); is prone to SQL injection attacks. Why don't you use ? as placeholder as in the example db.query("INSERT INTO people (id, name) VALUES (?, ?)", 5, "Adam"); of http://dpldocs.info/experimental-docs/arsd.database.html If your database is compromised you can blame the arsd.database author(s) for publishing a buggy db.escape function ;-) | |||
November 28, 2020 Re: How to connect to SQLITE? | ||||
|---|---|---|---|---|
| ||||
Posted in reply to kdevel | On Saturday, 28 November 2020 at 17:50:43 UTC, kdevel wrote:
> On Saturday, 28 November 2020 at 13:29:50 UTC, Ferhat Kurtulmuş wrote:
>> On Saturday, 28 November 2020 at 12:01:59 UTC, Alex NL wrote:
>>> Is there libs for SQLITE?
>>> How to use it? thanks.
>>
>> https://github.com/aferust/GtkD-examples-for-TreeView-and-ListBox
>
> IMNSHO the code in example1.d
>
> string sql = format("UPDATE User SET %s = '%s' WHERE id = %s;", field, text, curId);
> db.query(sql);
>
> and that in example2.d
>
> string sql = format("UPDATE User SET %s = '%s' WHERE id = %d;", field, value, cid);
> db.query(sql);
>
> is prone to SQL injection attacks. Why don't you use ? as placeholder as in the example
>
> db.query("INSERT INTO people (id, name) VALUES (?, ?)", 5, "Adam");
>
> of
>
> http://dpldocs.info/experimental-docs/arsd.database.html
>
> If your database is compromised you can blame the arsd.database author(s) for publishing a buggy db.escape function ;-)
I just didn't care about security vulnerability there. My focus was on GtkD functions. But you are right. It may mislead newbies. Library functions must have been used, not format, so that auto escape can work. I am too lazy to fix it :)
| |||
Copyright © 1999-2021 by the D Language Foundation